Deployment Architecture
×

Are you a member of the Splunk Community?

Sign in or Register with your Splunk account to get your questions answered, access valuable resources and connect with experts!
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Ask a Question
Solved! Jump to solution

Calculate the difference between two values by time division

quixand
Path Finder
‎04-12-2016 07:50 AM

Hi all,

I need to get some stats from an Apache ActiveMQ message broker. The broker has a web dashboard of broker queue depths.
- current queue depth
- messages dequeued (since last restart)

As far as I'm aware, there are no other stats available.

I want to know the number of messages that have dequeued from the broker by time division (say 1h but could be by 3h or day or week). I simply want to know the total number of messages that have been consumed per queue so I can visualize queue performance over time.

We have a bash script that harvests the counter and records to a log, something like

Tue Apr 12 15:01:02 BST 2016 AppQueueA_depth="10" AppQueueA_dequeue="500"

This is recorded every 5 minutes, but because this is a total since application restart, I need to subtract the first occurrence of AppQueueA_dequeue from the first occurrence from the previous hour, and so on and so forth.

I think i need to bucket the events by hour and extract the first event per bucket, then calculate the difference between each one.

Any help appreciated.

0 Karma
Reply
1 Solution
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-12-2016 08:45 AM

Give this a try

your base search | bucket span=1h _time | stats min(AppQueueA_dequeue) as AppQueueA_dequeue by _time | delta AppQueueA_dequeue as msgProcessed | table _time msgProcessed

View solution in original post

Reply
Solved! Jump to solution

twinspop
Influencer
‎04-12-2016 08:49 AM

EDIT: removed streamstats hackery. somesoni2's answer shows off delta which would be better than streamstats in this situation.

0 Karma
Reply
Solved! Jump to solution
Solution

somesoni2
Revered Legend
‎04-12-2016 08:45 AM

Give this a try

your base search | bucket span=1h _time | stats min(AppQueueA_dequeue) as AppQueueA_dequeue by _time | delta AppQueueA_dequeue as msgProcessed | table _time msgProcessed
Reply
Solved! Jump to solution

quixand
Path Finder
‎04-14-2016 08:50 AM

Thanks, this is exactly what I needed.

0 Karma
Reply
Get Updates on the Splunk Community!

Shape the Future of Splunk: Join the Product Research Lab!

Join the Splunk Product Research Lab and connect with us in the Slack channel #product-research-lab to get ...

Auto-Injector for Everything Else: Making OpenTelemetry Truly Universal

You might have seen Splunk’s recent announcement about donating the OpenTelemetry Injector to the ...

[Puzzles] Solve, Learn, Repeat: Character substitutions with Regular Expressions

This challenge was first posted on Slack #puzzles channelFor BORE at .conf23, we had a puzzle question which ...